Netcat User Guide

From: http://www.linuxforum.net/forum/printthread.php? Cat = & board = Nm & main = 462808 & type = post

 

There are too many articles about Netcat, and I will not repeat it any more about its strength.

Netcat can be used as a client similar to Telent, a port can be listened to as a server, a scan tool can also be used to scan the port of the host of the other party, or to transmit files. Do you believe it? Listen to me slowly :)

First, we need to understand the working principle of Netcat. In fact, the principle of Netcat is very simple. It reads data from one end of the network and then outputs the data to the other end of the network. It can be used
TCP and UDP protocols are called Netcat because it is cat on the network. Imagine the cat function, read the content of a file, and then output it to the screen (default
Stdout is a screen and can be redirected to other places). Netcat reads the input from one end and then transmits it to the other end of the network,

It's that simple. But don't underestimate it. Netcat can do a lot of tasks, especially when it is combined with other programs. Okay, let's talk about it. Let's get started.: P

There are two versions of Netcat online, one is @ Stake Netcat, http://www.atstake.com/research
/Tools/network_utilities/
The first version, the GNU Netcat. http://netcat.sourceforge.net/download.php.
I personally prefer to use GNU Netcat because it has more functions, but GNU does not have the version of Windows: Confused:

As for compilation and installation, I don't need to mention it. If this is not the case, it would be a bit too much ......, Check the README and install files.
Bottom./configure & make
Install is OK. See the specific./configure options for help.

The command line program of Netcat is named NC, short for Netcat. After installation, the program Netcat cannot be found .:)

Root/@ MAIL etc # nc-H

GNU Netcat 0.7.0, a rewrite of the famous networking tool.

Basic usages:

Connect to somewhere: NC [Options] hostname port [port]...

Listen for inbound: NC-l-P port [Options] [hostname] [port]...

Tunnel to somewhere: NC-l hostname: Port-P port [Options]

Mandatory arguments to long options are mandatory for short options too.

Options:

-C, -- close connection on EOF from stdin

-E, -- exec = Program program to Exec after connect

-G, -- gateway = List source-routing hop point [s], up to 8

-G, -- pointer = num source-routing pointer: 4, 8, 12 ,...

-H, -- help display this help and exit

-I, -- interval = secs delay interval for lines sent, ports scanned

-L, -- listen mode, for inbound connects

-L, -- Tunnel = address: port forward local port to remote address

-N, -- Dont-resolve Numeric-only IP addresses, no DNS

-O, -- output = file output hexdump traffic to file (implies-x)

-P, -- local-Port = num local port number

-R, -- randomize local and remote ports

-S, -- source = address local source address (IP or hostname)

-T, -- TCP mode (default)

-T, -- Telnet answer using Telnet negotiation

-U, -- UDP Mode

-V, -- verbose (Use twice to be more verbose)

-V, -- version output version information and exit

-X, -- hexdump incoming and outgoing traffic

-W, -- Wait = secs timeout for connects and Final Net reads

-Z, -- zero-I/O mode (used for scanning)

Remote port number can also be specified as range. Example: '1-1024'

I use GNU Netcat, which is a very useful option than @ Stake's Netcat. We will talk about it later. the GNU-L,-T,-T options are different from @ Stake's-l-T options.

I. Client

This is the simplest way to use, NC
NC www.apache.org
80

Get, HTTP, 1.1

HTTP/1.1 400 bad request

Date: Mon, 08 Dec 2003 06:23:31 GMT

Server: Apache/2.0.48-Dev (UNIX)

Content-Length: 310

Connection: Close

Content-Type: text/html; charset = iso-8859-1

<! Doctype HTML public "-// IETF // dtd html 2.0 // en">

<HTML>
<Title> 400 bad request </title>

</Head> <body>

<H1> bad request
<P> your browser sent a request that this server cocould not understand. <br/>

</P>

<HR/>

<Address> Apache/2.0.48-Dev (UNIX) server at www.apache.org
Port 80 </address>

</Body>
Haha, I didn't say anything when I saw anything: P

Ii. Simple Server

NC-l-P <portnumber> // here, the-l parameter indicates that NC is in listening mode and-P specifies the port number.

NC-l-P 1234 [Assume the Host IP address is 192.168.0.1]

Enter NC 192.168.0.1 1234 from the client
Then the data you input from either end is displayed on the other end. in fact, the difference between the Netcat server and the client is not big. The difference lies only in who executes-L to listen to the port.
After the establishment, there will be no difference. From here we can also understand the working principle of Netcat, read and write data through the network link. [It is a simple Unix
Utility which reads and writes data across network connections, using
TCP or UDP protocol] -- @ Stake homepage says so.

Iii. Telnet Server

NC has a-e option to specify the program to be executed after the connection.

On Windows, you can specify-e cmd.exe[winxp, win2000. if the parameter is 98, command.exe. Linux specifies-e bash, or any shell you like, or programs you write yourself, usually as a backdoor: P

The effect of specifying-E is that the program you specified replaces the NC itself to accept the input from the other end, and displays the feedback after the input (command) to the other end.

Server: NC-l-P 1234-e bash

Client: NC 192.168.0.1 1234.

In fact, we do not have to specify-E on the server or the client.

Server: NC-l-P 1234

Client: NC-e 192.168.0.1 1234
In this way, it is equivalent to remotely logging on to the client on the server. As I said earlier, the distinction between client and server is meaningless. Who is used as Telnet?
There is only one server standard. who executes-E [Shell]?

Iv. FTP Server

NC can accept input from any place, not only the program specified by-e, but also a file. NC can redirect input to any place, not just the default screen. the specified method is simple. Use the> and <redirection symbols.

Example 1: SERVER: NC-L-C-P 1234 </etc/passwd [This is very dangerous. Do not put it on the public network. If I see it, hum ...... : P]

Client: NC 192.168.0.1 1234> somefile

Example 2: SERVER: NC-L-C-P 1234> somefile

Client: NC 192.168.0.1 1234 </etc/passwd

Among them, the-C option specifies to close the link at the end of the file transfer, which is unique to GNU Netcat. if-C is not specified or you use @ Stake's Netcat, press Ctrl + C to close the link after the file transfer ends.

5. Scan Port

NC-z-W 2-v www.somewhere.com
Port [, Port [, Port-port]

-Z specifies the zero-I/O mode, which allows Netcat to disable any I/O from the source system. If it is not specified, Netcat suspends the port indefinitely. therefore, you must specify the-Z option during network scanning.

-W: Specifies the timeout time, in seconds.

-V verbose mode

Example: NC-z-W 2-v www.somewhere.com
20-30, 80, 100-112,443

However, I do not agree to use Netcat for scanning, because I think it is not fast enough, and the information obtained is incomplete. More importantly, it is not concealed. NMAP is a good choice. If I have time, I will discuss NMAP's cool functions in another article. [ad first: p]

6. Comprehensive Application

The power of UNIX lies not in a program itself, but in the combination of multiple simple tools. If you use your imagination, you will discover how beautiful the Unix world is.

Example 1. [background] a host is suspected of being intruded and installed with Rootkit. Now we need to compare it with another clean host.

Compromised host:

Find/etc-type F | xargs md5sum | nc-l-P 1234-C

Clean Host:

NC 192.168.0.1 1234 | md5sum-C-| grep-v OK // md5sum-C indicates to check the md5sum of the given list, followed by the file name. Specify-here, that is, the standard input.

// When the md5sum match of the file is OK, we will filter out these rows and display unmatched rows.

Example 2. Check the SUID and SGID programs on the compromised host.

Compromised host: Find/-xdev-type F-User Root/(-Perm-4000-o-Perm-2000/) | xargs md5sum | nc-L-C-P 1234

Remote Host: NC 192.168.0.33 1234 | md5sum-C-| grep-V OK

Example 3. Remotely mirror the compromised host.

Compromised host:

Dd If =/dev/hda1 BS = 1024 | nc-l-P 1234-C

Remote Host:

NC 192.168.0.1 1234>/check/host. disk1

Then, you can use the loopback feature of the Linux kernel to mount host. Disk in read-only mode, and then perform forensic analysis.

[Do not find and perform similar operations on the hard disk of the original victim host if you do the forensic analysis, because this will modify the time mark and destroy the original evidence]

Example 4. compress the file and transfer it again.

If your file is large, why not compress it first. Using pipelines, we don't even need to generate the compressed intermediate file!

Source HOST: tar CZF-work | nc-L-C-P 1234

Target Host: NC 192.168.0.1 1234 | tar xzvf-

[It is best not to use absolute paths when packaging tar. Although GNU tar can convert it into relative paths, not all platforms can do so. If you don't want to mess up your file system, use the relative path.]

............

The combination of the server and client is interchangeable. The following is an example 1 in section 6:

You can also:

Clean HOST: NC-l-P 1234-c | md5sum-C-| grep-V OK

Compromised host: Find/etc-type F | xargs md5sum | NC 192.168.0.2 1234

In fact, these are not fixed programs. You can come up with more methods based on your actual needs. Because you are using UNIX, Which is UNIX.

That's all. Let's write it here. This is the Swiss Army knife. What do you think? In fact, Netcat has many other usage methods. The only limit is your imagination. Tell me what you know, OK?

Of course, I still haven't written some aspects, such as the Netcat relay problem. Some hackers use the Netcat relay function as a stepping stone to avoid tracing.

I have never studied this and have no time. If any expert knows, please let me know.